NetTalk Central

Author Topic: SSL & site Security  (Read 2648 times)

rupertvz

  • Sr. Member
  • ****
  • Posts: 326
    • View Profile
    • Email
SSL & site Security
« on: March 16, 2014, 10:30:57 PM »
Hi Guys,

I need to confirm that we implemented the best security possible for a particular site;

1.  We are running an SSL cert for the site
2.  The web user access table is encrypted
3.  The user password is stored as MD5 and compared with the database upon logging in

There is an option for the user to reset their password, by supplying their e-mail address and a previous invoice number issued to their account.  (which wouldn't be possible by a random guess)

A possible security-flaw is that neither the user's e-mail address or invoice numbers are stored in MD5 encryption?

Any ideas to improve the security will be very helpful.



Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: SSL & site Security
« Reply #1 on: March 16, 2014, 11:05:11 PM »
storing the password as a plain MD5 is not really ideal.
If someone got the data then they could easily subject them to a rainbow table attack.

A better approach is to have a random string - say 16 chars long in the record. This string is not a secret (it can be stored as-is) but it should be different for each user.

then what you hash is the
secret & password & secret

this means that if 2 users have the same password, they end up with different hash values. and it's next to impossible for a hacker to have a pre-computer, rainbow table, for each of the salt values.

BTW - SHA would be a better hash than MD5. SHA256 would be even better (but is not available on XP, so your _server_ couldn't not run on XP if you used SHA256)

also MD5 is a "hash" - not an encryption. So it's not possible to store the hash of the email address or invoice number. Because if you stored those hashed they could not be "decrypted" or used.

Cheers
Bruce

rupertvz

  • Sr. Member
  • ****
  • Posts: 326
    • View Profile
    • Email
Re: SSL & site Security
« Reply #2 on: March 16, 2014, 11:39:38 PM »
Thanks Bruce, I will change the password encryption accordingly.

Does it make sense to have a password recovery-lookup by e-mail address and invoice number combination, which is stored in plain text?  Or should I rather create an additional encrypted field for the e-mail address for password recovery purposes?  Thus having the e-mail address field in plain text for normal operation and additionally encrypted e-mail-address for recovery purposes?

When I user logons on, I do a normal key-fetch on the user-table and then compare "encrypted" password to set the login status.  Is this the best way to do it?

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: SSL & site Security
« Reply #3 on: March 16, 2014, 11:59:42 PM »
The person who is doing the recovery would need to have access to the email account to get the reset email.

you could add a layer to make that email "valid" only for a period of time, say 1 hour, and only for 1 use - that would make it stronger.

encrypting the email on your side doesn't add any security to the process.
(of course encrypting the data may prevent other problems if your data is stolen, but that's a separate discussion.)

cheers
Bruce